OpenSSL: don't change default cipher suites #14655
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See the below pull request & issue for details (and experimental research). Basically: enforcing a hardcoded string is a bad practice, as the constant will only change with future releases crystal (delaying a security fix to upgrading your application to the latest crystal release or latest master branch) + it will override an otherwise securely configured system (oops).
Note: in practice it won't change much, because the list of ciphers wasn't changed for TLS v1.2 and below starting from OpenSSL 1.1+ (see #14657).
closes #13686
closes #13727
NOTE: we might want to reconsider #13695 —or not: let the system configuration dictate the behavior.